(Re)organize handling of CORS access control during resource loading.

Source/core/loader/TextTrackLoader.cpp

 /*
  * Copyright (C) 2011 Google Inc.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
@@ skipping 64 matching lines @@
 
     if (m_state == Failed)
         return;
 
     if (!m_cueParser)
         m_cueParser = VTTParser::create(this, m_document);
 
     m_cueParser->parseBytes(data, length);
 }
 
-void TextTrackLoader::corsPolicyPreventedLoad()
+void TextTrackLoader::corsPolicyPreventedLoad(SecurityOrigin* securityOrigin, const KURL& url)
 {
-    DEFINE_STATIC_LOCAL(String, consoleMessage, ("Cross-origin text track load denied by Cross-Origin Resource Sharing policy."));
+    String consoleMessage("Text track from origin '" + SecurityOrigin::create(url)->toString() + "' has been blocked from loading: Not at same origin as the document, and parent of track element does not have a 'crossorigin' attribute. Origin '" + securityOrigin->toString() + "' is therefore not allowed access.");
     m_document.addConsoleMessage(SecurityMessageSource, ErrorMessageLevel, consoleMessage);
     m_state = Failed;
 }
 
 void TextTrackLoader::notifyFinished(Resource* resource)
 {
     ASSERT(this->resource() == resource);
-
-    if (!m_crossOriginMode.isNull()
-        && !m_document.securityOrigin()->canRequest(resource->response().url())
-        && !resource->passesAccessControlCheck(m_document.securityOrigin())) {
-
-        corsPolicyPreventedLoad();
-    }
-
     if (m_state != Failed)
         m_state = resource->errorOccurred() ? Failed : Finished;
 
     if (m_state == Finished && m_cueParser)
         m_cueParser->flush();
 
     if (!m_cueLoadTimer.isActive())
         m_cueLoadTimer.startOneShot(0);
 
     cancelLoad();
 }
 
 bool TextTrackLoader::load(const KURL& url, const String& crossOriginMode)
 {
     cancelLoad();
 
     FetchRequest cueRequest(ResourceRequest(m_document.completeURL(url)), FetchInitiatorTypeNames::texttrack);
 
     if (!crossOriginMode.isNull()) {
-        m_crossOriginMode = crossOriginMode;
         StoredCredentials allowCredentials = equalIgnoringCase(crossOriginMode, "use-credentials") ? AllowStoredCredentials : DoNotAllowStoredCredentials;
-        updateRequestForAccessControl(cueRequest.mutableResourceRequest(), m_document.securityOrigin(), allowCredentials);
-    } else {
-        // Cross-origin resources that are not suitably CORS-enabled may not load.
-        if (!m_document.securityOrigin()->canRequest(url)) {
-            corsPolicyPreventedLoad();
-            return false;
-        }
+        cueRequest.setCrossOriginAccessControl(m_document.securityOrigin(), allowCredentials);
+    } else if (!m_document.securityOrigin()->canRequest(url)) {
+        // Text track elements without 'crossorigin' set on the parent are "No CORS"; report error if not same-origin.
+        corsPolicyPreventedLoad(m_document.securityOrigin(), url);
+        return false;
     }
 
     ResourceFetcher* fetcher = m_document.fetcher();
     setResource(fetcher->fetchRawResource(cueRequest));
     return resource();
 }
 
 void TextTrackLoader::newCuesParsed()
 {
     if (m_cueLoadTimer.isActive())
@@ skipping 28 matching lines @@
 }
 
 void TextTrackLoader::getNewRegions(Vector<RefPtr<VTTRegion> >& outputRegions)
 {
     ASSERT(m_cueParser);
     if (m_cueParser)
         m_cueParser->getNewRegions(outputRegions);
 }
 
 }